We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

The slow death of EU forum shopping

Forum shopping (i.e. where businesses pick and choose the most privacy-friendly EU state to set up shop) has always been a somewhat unique side effect of EU data privacy law. Then last year saw theGoogle Spain case where the European Court of Justice said that if a global organisation has a sales and marketing office in an EU country, it must follow the laws of that particular country. Now we have a regulator in Germany applying the Google Spain principle to another tech giant: Facebook.

You may have seen in the press recently that Facebook has a "real name policy". In fact, it changes users' fake user names to real ones or blocks them. The Hamburg Data Protection Authority (DPA) has taken issue with this. It says that Facebook is violating an individual's rights to "informational self-determination" under the German Telemedia Act. Facebook maintains that since its EU headquarters are in Ireland, it is subject to Irish, not German (or any other EU), data protection law. The Hamburg DPA has decided to fight this. It cited Google Spain and argued that because Facebook is economically active in Hamburg (i.e. has an office there), it has to abide by German law. In the DPA's words: "Facebook cannot again argue that only Irish data protection law would be applicable. Anyone who stands on our pitch also has to play our game".

However, the territorial test for application of data protection law under the current Directive is based on local establishment and use of equipment. Specifically, if a company is established in a jurisdiction it has to comply with local DP law. If it isn't (but is established in Ireland) then Irish DP law applies. So in 2013 the Administrative Court of Schleswig-Holstein in Germany held that Facebook was subject to Irish and not German DP law, since the processing of personal data occurred in Ireland rather than Germany. (The Court did not come to a decision as to whether Facebook had infringed any German DP laws.) TheGoogle Spain decision is re-interpreting the rules here.

It will be interesting to see how this all plays out, especially with the EU Data Protection Regulation now in its final stages of negotiation and the debate around whether the "one-stop shop" mechanism will finally put an end to forum shopping. To be continued...

Compare jurisdictions:Data Security & Cybercrime

"The newsfeeds deliver us the most recent legal analysis and practical information. There seems to be a broad analysis which is beneficial to us in analyzing various areas of law. It provides a snap shot update of various legal developments and assists us in staying current. The articles are well covered and include the right amount of detail. The size and depth of articles are good too, so we can get to the information one needs very quickly. The articles are typically of high calibre and from high-calibre authors who provide sufficiently succinct articles so that one can learn much about new developments in a short amount of time. I like the format because it is easy to scan for relevant articles. It's a great tool. I like the fact you can tailor the newsfeeds by jurisdiction and work area, and only receive information relevant to your practice."